Configuring TLS Certificates for Horizon 7 Servers

A default TLS server certificate is generated when you install Connection Server instances, security servers, or View Composer instances. You can use the default certificate for testing purposes.

Certificates used for communication between Connection Servers and also between Horizon Agents and Connection Server instances, are replaced using an automatic mechanism, and cannot be replaced manually. For more details, see the Horizon 7 Security document.

Important:

Replace the default certificate as soon as possible. The default certificate is not signed by a Certificate Authority (CA). Use of certificates that are not signed by a CA can allow untrusted parties to intercept traffic by masquerading as your server.

To configure a Connection Server instance, security server, or View Composer instance to use a TLS certificate, you must import the server certificate and the entire certificate chain into the Windows local computer certificate store on the Connection Server, security server, or View Composer host.

If a Horizon 7 server certificate is signed by a CA that is not trusted by client computers and client computers that access Horizon Administrator, you can configure all Windows client systems in a domain to trust the root and intermediate certificates. To do so, you must add the public key for the root certificate to the Trusted Root Certification Authorities group policy in Active Directory and add the root certificate to the Enterprise NTAuth store.

Each Connection Server instance performs certificate revocation checking on its own certificate and on those of the security servers paired to it. Each instance also checks the certificates of vCenter and View Composer servers whenever it establishes a connection to them. By default, all certificates in the chain are checked except the root certificate. You can, however, change this default.

To comply with industry or jurisdiction security regulations, you can replace the default TLS certificate that is generated by the PCoIP Secure Gateway (PSG) service with a certificate that is signed by a CA.

A CA is a trusted entity that guarantees the identity of the certificate and its creator. When a certificate is signed by a trusted CA, users no longer receive messages asking them to verify the certificate, and thin client devices can connect without requiring additional configuration.